Time
48 minutes
Difficulty
Advanced
CEU/CPE
1

Video Description

This lesson covers the Total Cost of Ownership (TCO) versus the Return on Investment (ROI). Essentially, ROI is a formula which measure the cost of an investment versus the gains it produces. The TCO is the purchase price of an asset in addition to the cost of operation. An item a lower TCO will be the better value in the long run.

Video Transcription

00:04
Hopefully not this point. You're able to conceptualize just how important being able to demonstrate having proper cyber hygiene
00:13
will dramatically impact business risk,
00:16
if for no other reason than just the legal considerations.
00:21
But how can you potentially motivate preemptive action? One of the things you may want consider is how can you financially incentivize,
00:31
applying better practices.
00:34
So now let's talk about the total cause of ownership versus return on investment.
00:39
So the old adage goes, you cannot put in a return on investment on cyber security.
00:45
Leave all of her this for years, right? So let's talk about what return on investment even is. Simply put, it's a formula
00:53
to measure the cost of an investment
00:57
versus the gains from that same investment.
01:00
Have you ever heard a pitch from a security vendor
01:03
boasting about how they're appliance or software will dramatically improve your operational capabilities through automation? Ever stop to think if you spend $100,000 on a product,
01:15
at what point do you even break even? Wouldn't it be great if you can demonstrate to your senior leaders if you spent $100,000
01:23
At what point would you be able to break even
01:26
three months.
01:29
10 months,
01:30
19 months.
01:33
The point is, is no longer just throwing money at security for the sake of throwing money at security.
01:38
Now you're able to try to accomplish what the board wants you to take into consideration
01:45
by being prudent with your investments.
01:48
Okay, so before we go any further,
01:49
spoiler alert
01:52
my professional observation. Is that why you may not be able to show a return on investment for cyber security?
01:57
You most certainly can show a reduction
02:00
in the total cost of ownership. You have a dizzying intellect.
02:05
Wait till I get going.
02:07
Leveraging the same premise that inventor is trying to sell you on a product or service.
02:13
Let's use sis log monitoring as an example
02:17
for those of you that have never done manual system log reviews
02:22
cream. It's like watching the paint dry.
02:23
It's exceptionally tedious.
02:27
It requires very detailed knowledge about the system in question.
02:30
And when you couple that with how boring this activity is,
02:36
trust me, I don't wish that job description of anybody.
02:38
And as many of you know, lots of companies were out there that don't even bother to hire individuals like us,
02:46
they would rather fourth E i t guys to wear multiple hats, one of which is security,
02:53
also forcing them to do things like firewall reviews,
02:57
identification and authentication reviews.
03:00
Not to mention the
03:00
always present and ever challenging
03:04
Hatch Management each month. Who is the time or the money to automate or outsource unless you are really big company?
03:12
So the for Excuse me for the purpose of this scenario,
03:15
let's say that this company is located in Atlanta. Let's also say they have a security administrator
03:22
now. I just pulled this from salary dot com
03:25
to give you an idea of what a median cellar it looks like.
03:30
So if we shoot for the middle of the road salary, the cost is about $84,000.
03:35
When we break this down, we have a burn rate of a little over $40 per hour.
03:40
Now, again,
03:42
this is only an hourly without benefits,
03:45
being factored or otherwise to find as a fully loaded rate.
03:49
Okay,
03:50
so now we have the hourly rate.
03:53
We can use this hourly rate as part of a new equation.
03:57
The $40.36 which is the burn for man hour
04:01
multiplied by the number of hours to do. A manual review of the cyst logs, firewalls, patch management, et cetera,
04:11
multiplied by the number of months in any given year
04:14
gives us a value of $19,372 change.
04:19
So this is the new barrier that should either be
04:24
beaten
04:25
or left alone.
04:27
Okay,
04:28
so we know in this particular scenario, the cost to beat is a little over $19,000.
04:34
So let's say for this scenario you're being given a quote to outsource all that to a man Security Service's provider. And that quote is only 15,000 per year.
04:45
The delta between the 15,000 in the 19 and changes a little over $4000 a year. That's quite a significant reduction in your total cost of ownership, however, what the quotas higher
04:58
if you have a higher total cost of ownership, does that mean that you simply say no? We're just gonna stick with what we're currently doing?
05:04
Not necessarily.
05:06
There are other factors to consider.
05:10
What are the costs of incident, response and disaster recovery,
05:13
whether the costs of legal defense costs, a breach, notifications
05:17
and cost of credit monitoring if applicable. Big question. Do you have saber insurance?
05:24
If you don't?
05:25
Who in how do they plan on paying for all these activities
05:29
in the event of a cyber breach?

Up Next

Corporate Cybersecurity Management

Cyber risk, legal considerations and insurance are often overlooked by businesses and this sets them up for major financial devastation should an incident occur.

Instructed By

Instructor Profile Image
Carter Schoenberg
Executive VP of IPKeys Power Partners
Instructor